Target Issues Phishing Warning

Scam Communications Have Increased in Wake of Breach
Target Issues Phishing Warning

As more details about the payments breach at Target Corp. unfold, the retailer on Christmas Eve issued a warning about phishing scams linked to communications that appear to be from Target (see Target: Breach Caused by Malware).

See Also: Breach Prevention: Hunting for Signs of Compromise


Target, which has been sending out communications about the breach through e-mail and social media channels such as Facebook, now says it is launching a page on the Target website where consumers can access official communications.

"We are aware of limited incidents of phishing or scam communications," Target notes in its Dec. 24 statement. "To help our guests feel confident that what they are hearing from Target is really from us, we are in the process of setting up a dedicated resource on our corporate website where we will post pdfs of all official communications that Target sends to our guests. We expect that to post later this afternoon."

On its FAQ page, Target specifically addresses risks associated with socially engineered scams feigning to be related to the breach recovery.

"Your Social Security number was not compromised," the retailer states on its site. "Be wary of scams that may appear to offer protection but are really trying to get personal information from you. If you have any suspicions about the authenticity of an e-mail or text, do not click the links in it. Please go directly to the sites you need to access. Visit as a resource for official communications that Target has sent to our guests."

On Dec. 23, Target confirmed that malware was to blame for the compromise that infected its point-of-sale system.

Just days earlier, an executive with one of the leading U.S. card issuers affected by the Target attack, who asked not to be named, told Information Security Media Group that about 40,000 of the retailer's 60,000 point-of-sale terminals were infected with an executable file, likely malware that was automatically downloaded from a hacked server. Once infected, the devices were instructed to store and forward magnetic-stripe data collected during transactions at the POS, the executive said.

"Clearly, it was an external intrusion," the executive says. "It would follow that it was done through the infrastructure that Target uses to send updates down to their POS terminals."

Now, according to a news story posted Dec. 24 by Reuters, questions are brewing about whether PINs associated with debit transactions were, in fact, compromised. According to Reuters, an unnamed executive with a leading U.S. bank says the hackers who broke into Target's network could have cracked the encryption code used to protect PINs. Target has denied those claims, however.

Target's Response, So Far

The breach, which likely exposed 40 million U.S. debit and credit accounts, has spurred Target to launch a massive communications plan - one that has been praised by industry experts.

Andrew Walls, a social media expert who's an analyst at the consultancy Gartner, says Target's communications with consumers highlight the need for more use of social media communications by organizations in the wake of a breach.

"This is just about communications at the end of the day," he says.

On Dec. 23, in response to requests from numerous state attorneys general, Target took communications a step further and hosted a call with its general counsel to answer additional questions about the breach and subsequent notification.

"Tim Baer, Target's EVP and general counsel, hosted a call for attorneys general across the country to discuss the recent data breach that impacted Target guests in the United States," Target says in its Dec. 24 statement. "The majority of state offices were in attendance on the call. We felt it was important to proactively bring this group together to provide them with information about the issue and answer their questions as well as those of their constituents, who are our guests. We are committed to keeping the attorneys general informed as the ongoing investigation moves forward and will host a follow up call with them the week of Jan. 6."

Just a week earlier, attorneys general in Connecticut, Iowa, Massachusetts, New York and South Dakota had asked Target to provide more information about its breach. And New York Attorney General Eric Schneiderman even requested that Target provide one year of free credit monitoring to all impacted New York residents.

Target has offered to provide credit monitoring to anyone impacted by the breach, but does not say for how long it will offer that monitoring.

"We continue to work around the clock, including Christmas, to address the questions and concerns of our guests. We will continue to provide updates to you as they become available," Target states.

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network